The new variant of the banking Trojan Coyote exploits accessibility features in Windows, specifically the Microsoft UI Automation framework. In this way, the malware detects banking and cryptocurrency exchange websites visited by the user and steals their credentials.
Microsoft UIA is a framework designed to allow assistive technologies to interact with elements of Windows application interfaces: read their properties, control them, and monitor changes. Applications present their structure as a UI Automation tree, and the UIA API allows browsing this tree, obtaining data about interface elements, and interacting with them by emulating user actions. All of this is intended to enable people with disabilities to fully utilize all the capabilities of their devices.
As early as December 2024, specialists from Akamai warned that UIA could be used for credential theft, emphasizing that this technique would allow bypassing EDR protection in any version of Windows starting from XP.
Now Akamai reported that their predictions are coming true: since February 2025, experts have observed real attacks using this technique, and it is the first known case where malware exploits Microsoft UIA capabilities for data theft.
The banking trojan Coyote has been active since February 2024. This malware aims to steal credentials from 75 banking and cryptocurrency applications, primarily targeting users in Brazil. When the malware was first discovered, it used keylogging and phishing overlays, but since then, Coyote has undergone significant changes.
According to researchers, the new version of Coyote continues to steal data using traditional methods, but also has added functions in its malware code to exploit UIA, which are used when a user opens banking or cryptocurrency services in a browser.
If Coyote cannot identify the object by the window title, it uses UIA to extract the web address from the browser’s UI elements (tabs or address bar). It then compares the obtained result with a hardcoded list of 75 targeted services.
Among the banks and exchanges that Coyote targets using this method are: Banco do Brasil, CaixaBank, Banco Bradesco, Santander, Original bank, Sicredi, Banco do Nordeste, Expanse, as well as Binance, Electrum, Bitcoin, Foxbit, and others.
Although in this case the misuse of UIA is limited to the reconnaissance phase, Akamai specialists have demonstrated that UIA can also be used for the actual theft of credentials from targeted sites.
“Parsing nested elements of another application without UIA is a non-trivial task,” researchers say. “To effectively read the contents of nested elements of another application, a developer must have a good understanding of how the specific target application is structured. Coyote can perform checks regardless of whether the malware is online or offline. This increases the chances of successfully identifying a bank or cryptocurrency exchange to steal credentials.”
Experts remind us that on Android, the issue of abusing Accessibility Services is very acute and has long become widespread.
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →